support home

Back to website
Login  Sign up

Generic OAuth

My SaaS will integrate 100+ services through OAuth. Adding an entry for each service into the privacy policy is not my preferred solution. Is it somehow possible to formulate a legal text that covers all OAuth'd services in a generic, single entry?

  • Hi Nico, sorry for the late reply. I needed to think about this for a while. The problem is that you'll want to disclose to the user who exactly is doing the connection legwork and who will be receiving user data. The most correct way I can think of is to write down exactly what an Oauth connection does: which data you are getting and which data the Oauth partner gets. Then you'll tell the user that this exact data will be shared with whichever provider the user chooses and that they should be aware of this and check out this partner's privacy related processes. It's not nice, but it's the best I can come up with.
  • Hi Simon, thanks for your great answer. It helped me understand the requirements a lot. Actually, I have a special case: I use OAuth only to get data from the providers. I don't share my user's data with the OAuth provider. The only thing the OAuth provider gets to know is that its user made a connection to my app. Could it be that I even don't have to mention that in my privacy policy at all?
  • One thing in addition: The data I get from the OAuth provider is shared with other services I already list in my privacy policy. All data I retrieve from the OAuth provider is at least stored in my database and thus shared with my hosting service. And also may be shared e.g. if a user sends a service request through my customer support widget with a screenshot attached. Does this require mentioning in the privacy policy?
  • Hi Nico, You're doing a good job explaining to me what's happening behind the scenes. This is exactly what your users want to know as well (ok they may not want to know this, but that's what privacy regulation is about. Your users don't necessarily expect or know that the third party provider knows which apps they use, what information you posses etc). Are you getting a clearer picture here? Simon
Login or Signup to post a comment